CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2024-39480 – kdb: Fix buffer overflow during tab-complete
https://notcve.org/view.php?id=CVE-2024-39480
In the Linux kernel, the following vulnerability has been resolved: kdb: Fix buffer overflow during tab-complete Currently, when the user attempts symbol completion with the Tab key, kdb will use strncpy() to insert the completed symbol into the command buffer. Unfortunately it passes the size of the source buffer rather than the destination to strncpy() with predictably horrible results. Most obviously if the command buffer is already full but cp, the cursor position, is in the middle of the buffer, then we will write past the end of the supplied buffer. Fix this by replacing the dubious strncpy() calls with memmove()/memcpy() calls plus explicit boundary checks to make sure we have enough space before we start moving characters around. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: kdb: corrige el desbordamiento del búfer durante la finalización de tabulación Actualmente, cuando el usuario intenta completar el símbolo con la tecla Tab, kdb usará strncpy() para insertar el símbolo completado en el búfer de comando. Desafortunadamente, pasa el tamaño del búfer de origen en lugar del destino a strncpy() con resultados predeciblemente horribles. Lo más obvio es que si el búfer de comando ya está lleno pero cp, la posición del cursor, está en el medio del búfer, entonces escribiremos más allá del final del búfer proporcionado. • https://git.kernel.org/stable/c/fb824a99e148ff272a53d71d84122728b5f00992 https://git.kernel.org/stable/c/ddd2972d8e2dee3b33e8121669d55def59f0be8a https://git.kernel.org/stable/c/cfdc2fa4db57503bc6d3817240547c8ddc55fa96 https://git.kernel.org/stable/c/f636a40834d22e5e3fc748f060211879c056cd33 https://git.kernel.org/stable/c/33d9c814652b971461d1e30bead6792851c209e7 https://git.kernel.org/stable/c/107e825cc448b7834b31e8b1b3cf0f57426d46d5 https://git.kernel.org/stable/c/f694da720dcf795dc3eb97bf76d220213f76aaa7 https://git.kernel.org/stable/c/e9730744bf3af04cda23799029342aa3c • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-121: Stack-based Buffer Overflow •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-39479 – drm/i915/hwmon: Get rid of devm
https://notcve.org/view.php?id=CVE-2024-39479
In the Linux kernel, the following vulnerability has been resolved: drm/i915/hwmon: Get rid of devm When both hwmon and hwmon drvdata (on which hwmon depends) are device managed resources, the expectation, on device unbind, is that hwmon will be released before drvdata. However, in i915 there are two separate code paths, which both release either drvdata or hwmon and either can be released before the other. These code paths (for device unbind) are as follows (see also the bug referenced below): Call Trace: release_nodes+0x11/0x70 devres_release_group+0xb2/0x110 component_unbind_all+0x8d/0xa0 component_del+0xa5/0x140 intel_pxp_tee_component_fini+0x29/0x40 [i915] intel_pxp_fini+0x33/0x80 [i915] i915_driver_remove+0x4c/0x120 [i915] i915_pci_remove+0x19/0x30 [i915] pci_device_remove+0x32/0xa0 device_release_driver_internal+0x19c/0x200 unbind_store+0x9c/0xb0 and Call Trace: release_nodes+0x11/0x70 devres_release_all+0x8a/0xc0 device_unbind_cleanup+0x9/0x70 device_release_driver_internal+0x1c1/0x200 unbind_store+0x9c/0xb0 This means that in i915, if use devm, we cannot gurantee that hwmon will always be released before drvdata. Which means that we have a uaf if hwmon sysfs is accessed when drvdata has been released but hwmon hasn't. The only way out of this seems to be do get rid of devm_ and release/free everything explicitly during device unbind. v2: Change commit message and other minor code changes v3: Cleanup from i915_hwmon_register on error (Armin Wolf) v4: Eliminate potential static analyzer warning (Rodrigo) Eliminate fetch_and_zero (Jani) v5: Restore previous logic for ddat_gt->hwmon_dev error return (Andi) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/i915/hwmon: deshacerse de devm Cuando tanto hwmon como hwmon drvdata (del cual depende hwmon) son recursos administrados por el dispositivo, la expectativa, al desvincular el dispositivo, es que hwmon publicarse antes que drvdata. Sin embargo, en i915 hay dos rutas de código independientes, que liberan drvdata o hwmon y cualquiera de ellas puede publicarse antes que la otra. • https://git.kernel.org/stable/c/cfa73607eb21a4ce1d6294a2c5733628897b48a2 https://git.kernel.org/stable/c/ce5a22d22db691d14516c3b8fdbf69139eb2ea8f https://git.kernel.org/stable/c/5bc9de065b8bb9b8dd8799ecb4592d0403b54281 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-39478 – crypto: starfive - Do not free stack buffer
https://notcve.org/view.php?id=CVE-2024-39478
In the Linux kernel, the following vulnerability has been resolved: crypto: starfive - Do not free stack buffer RSA text data uses variable length buffer allocated in software stack. Calling kfree on it causes undefined behaviour in subsequent operations. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: crypto: starfive: no liberar el búfer de pila Los datos de texto RSA utilizan un búfer de longitud variable asignado en la pila de software. Llamar a kfree provoca un comportamiento indefinido en operaciones posteriores. • https://git.kernel.org/stable/c/5944de192663f272033501dcd322b008fca72006 https://git.kernel.org/stable/c/d7f01649f4eaf1878472d3d3f480ae1e50d98f6c • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2024-39471 – drm/amdgpu: add error handle to avoid out-of-bounds
https://notcve.org/view.php?id=CVE-2024-39471
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: add error handle to avoid out-of-bounds if the sdma_v4_0_irq_id_to_seq return -EINVAL, the process should be stop to avoid out-of-bounds read, so directly return -EINVAL. • https://git.kernel.org/stable/c/5594971e02764aa1c8210ffb838cb4e7897716e8 https://git.kernel.org/stable/c/8112fa72b7f139052843ff484130d6f97e9f052f https://git.kernel.org/stable/c/ea906e9ac61e3152bef63597f2d9f4a812fc346a https://git.kernel.org/stable/c/011552f29f20842c9a7a21bffe1f6a2d6457ba46 https://git.kernel.org/stable/c/5b0a3dc3e87821acb80e841b464d335aff242691 https://git.kernel.org/stable/c/0964c84b93db7fbf74f357c1e20957850e092db3 https://git.kernel.org/stable/c/8b2faf1a4f3b6c748c0da36cda865a226534d520 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2024-39468 – smb: client: fix deadlock in smb2_find_smb_tcon()
https://notcve.org/view.php?id=CVE-2024-39468
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix deadlock in smb2_find_smb_tcon() Unlock cifs_tcp_ses_lock before calling cifs_put_smb_ses() to avoid such deadlock. • https://git.kernel.org/stable/c/b055752675cd1d1db4ac9c2750db3dc3e89ea261 https://git.kernel.org/stable/c/21f5dd36e655d25a7b45b61c1e537198b671f720 https://git.kernel.org/stable/c/b09b556e48968317887a11243a5331a7bc00ece5 https://git.kernel.org/stable/c/225de871ddf994f69a57f035709cad9c0ab8615a https://git.kernel.org/stable/c/8d0f5f1ccf675454a833a573c53830a49b7d1a47 https://git.kernel.org/stable/c/02c418774f76a0a36a6195c9dbf8971eb4130a15 •